The impact of UK data protection on data analytics and AI
AI's ability to analyse large data sets and obtain insights has resulted in data analytics becoming increasingly synonymous with the technology. This poses potentially serious compliance risks for IT professionals and organisations unaware of the legal implications of AI finding its way into analytics. When organisations decide to use analytics that process data containing personal information, it is important to be fully aware of the data protection considerations under UK data protection laws (UK GDPR).
Data protection by design
Prior to implementing a data analytics solution, organisations should consider data protection issues where personal data is being used as well as any potential confidentiality and intellectual property issues. The UK GDPR places obligations on organisations to implement appropriate technical and organisational measures, to demonstrate that principles of data protection are integrated into any processing. The principle of "data protection by design" is one such, together with the accountability principle - both key to data protection compliance.
When using new technologies, businesses are required to undertake a Data Protection Impact Assessment (DPIA) in advance, to demonstrate that data protection issues as part of the principle of accountability have been considered. This documents considerations and any mitigation of identified risks. Examples of mitigation include pseudonymisation, security or organisational controls, or data minimisation and retention.
Personal data
Personal data includes data that relates to a living individual from which they can be identified. It can cover data sets that are pseudonymised, but which give organisations the ability to identify an individual with a key or other data sets. Care needs to be taken to recognise that some data sets are personal data; albeit that data is pseudonymised, as the controller has access to the ‘key' so it is not truly anonymised.
Lawful basis
In order to lawfully process personal data, organisations must have a legal basis. The most relevant for data analytics may be (1) consent; (2) the processing is necessary to perform a contract with the individual; or (3) the processing is necessary for the organisation's legitimate interests or those of a third party (unless there is a good reason to protect the individual's personal data, which overrides those legitimate interests).
If relying on legitimate interests the organisation will need to undertake a three-tier balancing test and record the outcome in a Legitimate Interests Assessment (LIA). If relying on consent this can be challenging - the breadth and detail of the consent will need to be examined to see if it extends to this type of processing and purpose. Consent may be withdrawn at any time. The concept of purpose limitation and compatibility will also need to be considered.
If the personal data contains special category data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/ biometric data, or data concerning health, a person's sex life or sexual orientation), additional conditions apply in addition to the legal basis.
AI
AI introduces further considerations. If using automated decision-making or profiling, organisations may be required to notify data subjects and provide certain information relating to the logic and potential impacts in certain circumstances.
The UK GDPR provides personal data should be processed ‘fairly,' which means transparency and not processing where it is unduly detrimental, unexpected or misleading to the individuals concerned. Data analytics that learn from data may reflect discrimination or bias and, therefore, may proliferate discrimination contrary to fairness. Organisations will need to consider not only the data the data analytics software is provided with at inception, but also the ongoing data it is fed, to avoid discrimination and keep up with ever-changing demographics and record this in the DPIA.
Data protection notices and ROPAs
Ensuring the personal data is used in accordance with the privacy notices which must be kept up to date is key. Organisations need to keep mandatory Record of Processing Activities (ROPA) up to date. Retention of the data in accordance with the organisation's data retention policy will also need to be reviewed and updated.
Toolkit
We have outlined some of the key points to consider at the start of any data analytics project, although compliance with data protection laws is a continuing obligation. With the ever-evolving nature of technology, and AI in particular, a business's internal processes and compliance reviews will need to be dynamic. The UK Supervisory Body, the Information Commissioner's Office (ICO), has produced a toolkit that can assist businesses at the start of a data analytics project.
